4.3.Â Users and Basic Account Management

FreeBSD allows multiple users to use the computer at the same
time. While only one user can sit in front of the screen and
use the keyboard at any one time, any number of users can log
in to the system through the network. To use the system, each
user should have their own user account.

This chapter describes:

The different types of user accounts on a
FreeBSD system.

How to add, remove, and modify user accounts.

How to set limits to control the
resources that users and
groups are allowed to access.

How to create groups and add users as members of a
group.

4.3.1.Â Account Types

Since all access to the FreeBSD system is achieved using
accounts and all processes are run by users, user and account
management is important.

There are three main types of accounts: system accounts,
user accounts, and the superuser account.

4.3.1.1.Â System Accounts

System accounts are used to run services such as DNS,
mail, and web servers. The reason for this is security; if
all services ran as the superuser, they could act without
restriction.

Examples of system accounts are
daemon,
operator,
bind,
news, and
www.

nobody is the
generic unprivileged system account. However, the more
services that use
nobody, the more
files and processes that user will become associated with,
and hence the more privileged that user becomes.

4.3.1.2.Â User Accounts

User accounts are assigned to real people and are used
to log in and use the system. Every person accessing the
system should have a unique user account. This allows the
administrator to find out who is doing what and prevents
users from clobbering the settings of other users.

Each user can set up their own environment to
accommodate their use of the system, by configuring their
default shell, editor, key bindings, and language
settings.

Every user account on a FreeBSD system has certain
information associated with it:

User name

The user name is typed at the
login: prompt. Each user must have
a unique user name. There are a number of rules for
creating valid user names which are documented in
passwd(5). It is recommended to use user names
that consist of eight or fewer, all lower case
characters in order to maintain backwards
compatibility with applications.

Password

Each account has an associated password.

User ID (UID)

The User ID (UID) is a number
used to uniquely identify the user to the FreeBSD system.
Commands that allow a user name to be specified will
first convert it to the UID. It is
recommended to use a UID less than 65535, since higher
values may cause compatibility issues with some
software.

Group ID (GID)

The Group ID (GID) is a number
used to uniquely identify the primary group that the
user belongs to. Groups are a mechanism for
controlling access to resources based on a user's
GID rather than their
UID. This can significantly reduce
the size of some configuration files and allows users
to be members of more than one group. It is
recommended to use a GID of 65535 or lower as higher
GIDs may break some software.

By default, passwords do not expire. However,
password expiration can be enabled on a per-user
basis, forcing some or all users to change their
passwords after a certain amount of time has
elapsed.

Account expiry time

By default, FreeBSD does not expire accounts. When
creating accounts that need a limited lifespan, such
as student accounts in a school, specify the account
expiry date using pw(8). After the expiry time
has elapsed, the account cannot be used to log in to
the system, although the account's directories and
files will remain.

User's full name

The user name uniquely identifies the account to
FreeBSD, but does not necessarily reflect the user's real
name. Similar to a comment, this information can
contain spaces, uppercase characters, and be more
than 8 characters long.

Home directory

The home directory is the full path to a directory
on the system. This is the user's starting directory
when the user logs in. A common convention is to put
all user home directories under /home/username
or /usr/home/username.
Each user stores their personal files and
subdirectories in their own home directory.

User shell

The shell provides the user's default environment
for interacting with the system. There are many
different kinds of shells and experienced users will
have their own preferences, which can be reflected in
their account settings.

4.3.1.3.Â The Superuser Account

The superuser account, usually called
root, is used to
manage the system with no limitations on privileges. For
this reason, it should not be used for day-to-day tasks like
sending and receiving mail, general exploration of the
system, or programming.

The superuser, unlike other user accounts, can operate
without limits, and misuse of the superuser account may
result in spectacular disasters. User accounts are unable
to destroy the operating system by mistake, so it is
recommended to login as a user account and to only become
the superuser when a command requires extra
privilege.

Always double and triple-check any commands issued as
the superuser, since an extra space or missing character can
mean irreparable data loss.

There are several ways to gain superuser privilege.
While one can log in as
root, this is
highly discouraged.

Instead, use su(1) to become the superuser. If
- is specified when running this command,
the user will also inherit the root user's environment. The
user running this command must be in the
wheel group or
else the command will fail. The user must also know the
password for the
root user
account.

In this example, the user only becomes superuser in
order to run make install as this step
requires superuser privilege. Once the command completes,
the user types exit to leave the
superuser account and return to the privilege of their user
account.

ExampleÂ 4.1.Â Install a Program As the Superuser

%configure%make%su -
Password:
#make install#exit%

The built-in su(1) framework works well for single
systems or small networks with just one system
administrator. An alternative is to install the
security/sudo package or port. This
software provides activity logging and allows the
administrator to configure which users can run which
commands as the superuser.

4.3.2.Â Managing Accounts

FreeBSD provides a variety of different commands to manage
user accounts. The most common commands are summarized in
TableÂ 4.1, “Utilities for Managing User Accounts”, followed by some
examples of their usage. See the manual page for each utility
for more details and usage examples.

A powerful and flexible tool for modifying all
aspects of user accounts.

4.3.2.1.Â adduser

The recommended program for adding new users is
adduser(8). When a new user is added, this program
automatically updates /etc/passwd and
/etc/group. It also creates a home
directory for the new user, copies in the default
configuration files from
/usr/share/skel, and can optionally
mail the new user a welcome message. This utility must be
run as the superuser.

The adduser(8) utility is interactive and walks
through the steps for creating a new user account. As seen
in ExampleÂ 4.2, “Adding a User on FreeBSD”, either input
the required information or press Return
to accept the default value shown in square brackets.
In this example, the user has been invited into the
wheel group,
allowing them to become the superuser with su(1).
When finished, the utility will prompt to either
create another user or to exit.

Optionally removes the user's home directory, if it
is owned by the user.

Removes the incoming mail files belonging to the
user from /var/mail.

Removes all files owned by the user from temporary
file storage areas such as
/tmp.

Finally, removes the username from all groups to
which it belongs in /etc/group. If
a group becomes empty and the group name is the same as
the username, the group is removed. This complements
the per-user unique groups created by
adduser(8).

rmuser(8) cannot be used to remove superuser
accounts since that is almost always an indication of
massive destruction.

By default, an interactive mode is used, as shown
in the following example.

4.3.2.3.Â chpass

Any user can use chpass(1) to change their default
shell and personal information associated with their user
account. The superuser can use this utility to change
additional account information for any user.

When passed no options, aside from an optional username,
chpass(1) displays an editor containing user
information. When the user exits from the editor, the user
database is updated with the new information.

Note:

This utility will prompt for the user's password when
exiting the editor, unless the utility is run as the
superuser.

4.3.2.4.Â passwd

Any user can easily change their password using
passwd(1). To prevent accidental or unauthorized
changes, this command will prompt for the user's original
password before a new password can be set:

ExampleÂ 4.6.Â Changing Your Password

%passwd
Changing local password for jru.
Old password:
New password:
Retype new password:
passwd: updating the database...
passwd: done

The superuser can change any user's password by
specifying the username when running passwd(1). When
this utility is run as the superuser, it will not prompt for
the user's current password. This allows the password to be
changed when a user cannot remember the original
password.

Note:

4.3.2.5.Â pw

The pw(8) utility can create, remove,
modify, and display users and groups. It functions as a
front end to the system user and group files. pw(8)
has a very powerful set of command line options that make it
suitable for use in shell scripts, but new users may find it
more complicated than the other commands presented in this
section.

4.3.3.Â Managing Groups

A group is a list of users. A group is identified by its
group name and GID. In FreeBSD, the kernel
uses the UID of a process, and the list of
groups it belongs to, to determine what the process is allowed
to do. Most of the time, the GID of a user
or process usually means the first group in the list.

The group name to GID mapping is listed
in /etc/group. This is a plain text file
with four colon-delimited fields. The first field is the
group name, the second is the encrypted password, the third
the GID, and the fourth the comma-delimited
list of members. For a more complete description of the
syntax, refer to group(5).

The superuser can modify /etc/group
using a text editor. Alternatively, pw(8) can be used to
add and edit groups. For example, to add a group called
teamtwo and then
confirm that it exists:

The argument to -M is a comma-delimited
list of users to be added to a new (empty) group or to replace
the members of an existing group. To the user, this group
membership is different from (and in addition to) the user's
primary group listed in the password file. This means that
the user will not show up as a member when using
groupshow with pw(8), but will show up
when the information is queried via id(1) or a similar
tool. When pw(8) is used to add a user to a group, it
only manipulates /etc/group and does not
attempt to read additional data from
/etc/passwd.

In this example, the argument to -m is a
comma-delimited list of users who are to be added to the
group. Unlike the previous example, these users are appended
to the group and do not replace existing users in the
group.